Slurm Authentication Plugin API

Overview

This document describes Slurm authentication plugins and the API that defines them. It is intended as a resource to programmers wishing to write their own SLURM authentication plugins.

Slurm authentication plugins are Slurm plugins that implement the Slurm authentication API described herein. They must conform to the Slurm Plugin API with the following specifications:

const char plugin_type[]
The major type must be "auth." The minor type can be any recognizable abbreviation for the type of authentication. We recommend, for example:

  • none — A plugin that implements the API without providing any actual authentication service. This may be used for testing purposes, but is not suitable for production use due to lack of effective security.
  • munge — LLNL's Munge protocol (recommended plugin for production use).

const char plugin_name[]
Some descriptive name for the plugin. There is no requirement with respect to its format.

const uint32_t plugin_version
If specified, identifies the version of Slurm used to build this plugin and any attempt to load the plugin from a different version of Slurm will result in an error. If not specified, then the plugin may be loadeed by Slurm commands and daemons from any version, however this may result in difficult to diagnose failures due to changes in the arguments to plugin functions or changes in other Slurm functions used by the plugin.

The programmer is urged to study src/plugins/auth/none/auth_none.c for an example implementation of a Slurm authentication plugin.

Data Objects

The implementation must support an opaque class, which it defines, to be used as an authentication "credential." This class must encapsulate all user-specific information necessary for the operation of the API specification below. The credential is referred to in Slurm code by an anonymous pointer (void *).

The implementation must maintain (though not necessarily directly export) an enumerated errno to allow Slurm to discover as practically as possible the reason for any failed API call. The following enumerated integer values (declared in src/common/slurm_auth.h) must be used when appropriate.

SLURM_AUTH_BADARG> —an argument to an API function was invalid or malformed.
SLURM_AUTH_MEMORY> —a request could not be satisfied because memory for it could not be allocated.
SLURM_AUTH_NOUSER> —a credential is improper because it refers to an unknown user.
SLURM_AUTH_INVALID> —a credential is improper because the validation of it has failed. This is specifically distinct from the expiration of a credential.
SLURM_AUTH_MISMATCH> —a credential could not be properly unpacked because it is of an incompatible type or version.

These values must not be used as return values in integer-valued functions in the API. The proper error return value from integer-valued functions is SLURM_ERROR. While it is most practical to associate a different errno with each instance of a credential, this is not necessarily enforced by the API. The implementation should endeavor to provide useful and pertinent information by whatever means is practical. In most cases, this means an errno for each credential, since plugins must be re-entrant. If a plugin maintains a global errno in place of or in addition to a per-credential errno, it is not required to enforce mutual exclusion on it. Successful API calls are not required to reset any errno to a known value. However, the initial value of any errno, prior to any error condition arising, should be SLURM_SUCCESS.

Plugins may assign implementation-specific values to errno so long as they do not conflict with the values assigned above. This is done programmatically by assigning plugin-specific errno values which are arithmetically greater than or equal to the symbol SLURM_AUTH_FIRST_LOCAL_ERROR.

API Functions

The following functions must appear. Functions which are not implemented should be stubbed.

int init (void)

Description:
Called when the plugin is loaded, before any other functions are called. Put global initialization here.

Returns:
SLURM_SUCCESS on success, or
SLURM_ERROR on failure.

void fini (void)

Description:
Called when the plugin is removed. Clear any allocated storage here.

Returns: None.

Note: These init and fini functions are not the same as those described in the dlopen (3) system library. The C run-time system co-opts those symbols for its own initialization. The system _init() is called before the SLURM init(), and the SLURM fini() is called before the system's _fini().

void *slurm_auth_create(char *auth_info);

Description: Allocates from the free store an anonymous credential object and returns a pointer to it. The pointer should be valid until passed to slurm_auth_destroy() for disposal. Slurm will not pass credentials to the API which have not been allocated by this function.

Arguments:
argv   (input) plugin specific information. auth_info   (input) plugin specific identification of the server.

Returns: A pointer to a newly allocated credential if successful. On failure, the plugin should return NULL and set its errno to an appropriate value to indicate the reason for failure.

int slurm_auth_destroy (void *cr);

Description: Deallocates a credential that was allocated with slurm_auth_alloc() and any associated storage that has been allocated for it during its use.

Arguments: cr    (input) pointer to the credential that is to be deallocated. Cannot be NULL.

Returns: SLURM_SUCCESS if successful. On failure, the plugin should return SLURM_ERROR and set the errno to an appropriate value to indicate the reason for failure.

int slurm_auth_verify (void *cr, char *auth_info );

Description: Verifies that a credential is in order and correctly identifies the associated user. It also verifies that the credential has not expired. If verification is successful, the return values of slurm_auth_get_uid() and slurm_auth_get_gid() in subsequent calls must correspond to the actual verified system UID and GID of the user associated with the credential. Verification must fail if the credential has not previously been activated, even if a credential implementation cannot exist in an unactivated state. A credential's valid term is defined at activation and verification must fail if the credential has expired, even if it would otherwise be valid.

Arguments:
cr   (input) pointer to the credential which is to be verified. Cannot be NULL.
auth_info   (input) plugin specific identification of the server.

Returns: SLURM_SUCCESS if the credential is verified to be in order and has not expired. If the credential cannot be verified, or if the credential has expired, the function should return SLURM_ERROR and set its errno to an appropriate value to indicate the reason for failure.

uid_t slurm_auth_get_uid (void *cr, char *auth_info);
gid_t slurm_auth_get_gid (void *cr, char *auth_info);

Description: Extracts the numerical UID (GID) of the user corresponding to the given credential. Slurm considers this value trustworthy only if the credential has been successfully verified using slurm_auth_verify(). An unverified credential does not immediately give rise to an error condition in these functions, since this would require a plugin to distinguish between a verified and an unverified credential, which may be computationally expensive. A plugin may consider the lack of verification as an error.

Arguments:
cr    (input) pointer to the credential containing the desired identification. Cannot be NULL.
auth_info   (input) plugin specific identification of the server.

Returns: If successful, the Linux UID (GID) associated with the credential. In case of error, SLURM_AUTH_NOBODY should be returned and errno set appropriately to indicate the cause of the failure.

int slurm_auth_pack (void *cr, Buf buf);

Description: Marshals a credential into a buffer for transmission according to the Slurm packing protocol. All authentication plugins must first pack the plugin_type and then the plugin_version data before any plugin-specific data elements are packed. slurm_auth_pack() and slurm_auth_pack() are strictly reciprocal. The esult of a packing followed by an unpacking must be a functionally equivalent credential. A credential is deemed appropriate for marshalling at any time after its allocation and before its destruction.

Arguments:
cr    (input) pointer to the credential to pack.
buf    (input/output) the buffer into which the credential should be packed.

Returns: SLURM_SUCCESS if successful. On failure the plugin should return SLURM_ERROR and set the errno to indicate the reason for the failure.

int slurm_auth_unpack (void *cr, Buf buf);

Description: Unmarshals a credential from a buffer according to the Slurm packing protocol into a supplied (and presumed empty) credential object. The unmarshalled credential is not assumed to be activated or verified. The plugin_type and plugin_version data should first be unpacked from the buffer and verified for applicability. The API does not enforce that they must be equivalent, merely compatible. Compatibility is implementation-dependent.

Arguments:
cr    (output) pointer to the credential to pack.
buf    (input/output) the buffer from which the credential should be unpacked.

Returns: SLURM_SUCCESS if the credential was successfully unpacked. In case of failure, the function should return SLURM_ERROR and set errno appropriately to indicate the cause of the failure. If the function fails, no assumptions are made about the state of the credential except its suitability for destruction via slurm_auth_destroy().

int slurm_auth_print (void *cr, FILE *fp);

Description: Writes a human-readable representation of the credential to a standard I/O stream. There are no strict API constraints on the behavior of this function, however it is recommended that the information be as complete and as concise as possible. For example, lengthy digital "signatures" need not be printed bitwise, but may be represented by their checksum. The intent is to provide a depiction of the credential for debugging purposes.

Arguments: None.

Returns: SLURM_SUCCESS if successful. On failure the plugin should return SLURM_ERROR and set the errno appropriately to indicate the cause of failure.

int slurm_auth_errno (void *cr);

Description: Returns the current value of errno. Whether the value is associated with the given credential or with the plugin as a whole is implementation-dependent. Because this function can be used to discover the reason why a credential allocation has failed, the argument is advisory.

Arguments: cr     (input) pointer to the credential, the status of whose most recently executed API function is to be returned. This value may be NULL, indicating that the most recent errno value applicable to the plugin as a whole is to be returned.

Returns: The current value of errno or SLURM_SUCCESS if there is no error to report.

const char *slurm_auth_errstr (int errno);

Description: Provides a human-readable string associated with the given errno. The plugin need only supply error strings for the errno values it defines and not for errno values listed above that are required by the API.

Arguments: errno    (input) the plugin-specific errno for which a corresponding error message is desired.

Returns: A pointer to a static error message. This function must always return a pointer to a string, even if the string is empty or ambiguous such as "unknown error."

Last modified 27 March 2015